Mozilla Firefox accounted for 44% of browser-based vulnerabilities in the first half of 2009, more than any other browser, according to a new report from Cenzic Inc.
To get security news and tips delivered to your inbox,
Apple's Safari browser came in second, with 35% of all browser-based flaws, followed by Internet Explorer (15%). The Santa Clara, Calif.-based penetration testing vendor said the Safari vulnerabilities were due to issues discovered in the Apple iPhone-based browser. Cenzic said browser vulnerabilities accounted for 8% of the total Web vulnerabilities.
The browsers were ranked by the number of bugs in a study reviewing Web-based vulnerability data collected by Cenzic in the first half of 2009. The firm said that78% of the 3,100 reported vulnerabilities it identified were Web-based.
Experts caution that the number of vulnerabilities addressed by a browser maker doesn't necessarily mean a particular browser is less secure. For example, Mozilla may be more proactively reporting and repairing vulnerabilities than other browser makers.
Web security vulnerabilities:
Web-based attacks skyrocket, pirating sites surge, security firms say: Reports highlight surge in spam as well as an increase in malicious Web pages attacking visitors with Trojan malware and downloaders.
SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.
Johnathan Nightingale, Mozilla's security and usability expert called bug counting a waste of time. Nightingale said it ignores the fact that Mozilla can get a patch out to 90% of its user base in less than five or six days, a feat unmatched by many other browser makers.
"What would certainly help make a better assessment is if everyone was open about all the bugs they fixed and if every security fix was well documented," Nightingale said. "There are vendors out there not doing that or bundling several patches together to keep the numbers low and they are going to show up well in these reports."
More important is the fact that many users have outdated third-party browser components, a favorite target of attackers, Nightingale said. Mozillla launched a tool in October that scans Firefox to detect outdated plugins.
The number of Web application vulnerabilities increased more than 10% from the second half of 2008. The flaws were contained in Web servers, applications, Web browsers. plug-ins and ActiveX controls. Information leakage, cross-site-scripting (XSS) errors and improper authentication bugs were among the biggest issues found in many Web applications, Cenzic said.
"Of the published vulnerabilities in commercial off-the-shelf applications, SQL injection, and XSS were once again the most common, which is why it is no coincidence that most of the attacks in the first half [of the year] exploited these two vulnerabilities," the Cenzic report noted.
Information leakage errors accounted for 87% of vulnerabilities discovered by Cenzic tests. Web applications that reveal sensitive user data or HTML comments left by developers could be used by hackers to gather data and attempt to penetrate a company's defenses, Cenzic said. XSS errors accounted for 73% of vulnerabilities discovered. The flaws enable an attacker to inject malicious code into the application to spoof content or hijack legitimate websites to target visitors.
Authentication flaws also increased, accounting for 56% of vulnerabilities encountered by Cenzic. The errors allows users to login without supplying correct credentials. Sometimes the errors can reveal valid usernames and passwords, allowing an attacker to easily gain access to systems, Cenzic said.
The firm also cited a number of different high-profile attacks carried out by hackers exploiting common Web-based vulnerabilities. Hackers carried out XSS attacks against HSBC and Barclays banking websites in June. Turkish hackers gained access to low-level U.S. Army Web servers in May by exploiting SQL injection vulnerabilities, redirecting a website to a webpage protesting climate change.
"It's evident from some of the highly visible attacks in the last couple of years that many attacks go unnoticed for months and years before they are caught, and even those are by accident," the report noted. "We believe that for every attack that's reported, there are a hundred more that have gone unnoticed, as most companies don't know when they are being hacked."